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Abstract — In this paper, a mapping between initial states of the 
Fibonacci and the Galois configurations of NLFSRs is established. 
We show how to choose initial states for two configurations so 
that the resulting output sequences are equivalent. 

Index Terms — Fibonacci NLFSR, Galois NLFSR, initial state, 
pseudo-random sequence, stream cipher. 

I. Introduction 

Non-Linear Feedback Shift Registers (NLFSR) are a gen- 
eralization of Linear Feedback Shift Registers (LFSRs) in 
which a current state is a non-linear function of the previous 
state [1]. While the theory behind LFSRs is well-understood, 
many fundamental questions related to NLFSRs remain open. 

The interest in NLFSRs is motivated by their ability to 
generate pseudo-random sequences which are hard to break 
with existing cryptanalytic methods [2]. A common approach 

■ for encrypting confidential information is to use a stream 
cipher which combines plain text bits with a pseudo-random 

. bit sequence [3]. The resulting encrypted information can be 
transformed back into its original form only by an authorized 

■ user possessing the cryptographic key. While LFSRs are 
widely used in testing and simulation [4], for cryptographic 
applications their pseudo-random sequences are not secure. 
The structure of an «-bit LFSR can be easily deduced by 
observing 2n consecutive bit of its sequence [5]. Contrary, an 
adversary might need 2" bits of a sequence to determine the 
structure of the n-bit NLFSR which generates it [6]. A number 
of NLFSR-based stream ciphers for RFID and smartcards 
applications have been proposed, including Achterbahn [7], 
Grain [8], Dragon [9], Trivium [10], VEST [11], and the 
cipher [12]. 

Similarly to LFSRs, an NLFSR can be implemented either 
in the Fibonacci or in the Galois hardware configuration. In 
the former, the feedback is applied to the last bit of the register 
only, while in the latter the feedback can potentially be applied 
to every bit. The depth of circuits implementing feedback 
functions in a Galois configuration is usually smaller than the 
one in the equivalent Fibonacci configuration [13]. This makes 
the Galois configuration more attractive for stream ciphers 
where high throughput is important. For example, by re- 
implementing the NLFSR-based stream cipher Grain [8] from 
the original Fibonacci to the Galois configuration, one can 
double the throughput with no penalty in area or power [14]. 



In [13] it has been shown how to transform a Fibonacci 
NLFSR into an equivalent Galois NLFSR. While the resulting 
NLFSRs generate the same sets of output sequences, they 
follow different sequences of states and normally start from a 
different initial state. The relations between sequences of states 
and between initial states of two configurations are studied 
in this paper. One reason for studying the relation between 
sequences of states is that some NLFSR-based stream ciphers 
use not only the output of an NLFSR, but also several other 
bits of its state to produce a pseudo-random sequence. If a 
Fibonacci to Galois transformation is applied to an NLFSR- 
based stream cipher, it is important to know which bits of the 
state are affected by the transformation in order to preserve 
the original algorithm. Changing the algorithm is likely to 
influence the security of a cipher. For the same reason, we 
need to map the secret key and the initial value (IV) of the 
original cipher into the corresponding ones of the transformed 
cipher. Finally, knowing which initial state of the Galois 
configuration matches a given initial state of the Fibonacci 
configuration makes possible validating the equivalence of two 
configurations by simulation. 

The paper is organized as follows. Section [TT] gives an 
introduction to NLFSRs and describes the Fibonacci to Galois 
transformation. In Section [HI] we study a relation between 
the sequences of states generated by two equivalent NLFSRs. 
Section [TV] shows how to compute the initial state for the 
Galois configuration which matches a given initial state of the 
Fibonacci configuration. Section [V] concludes the paper and 
discusses open problems. 

II. Background 

In this section, we give an introduction to NLFSRs and 
briefly describe the transformation from the Fibonacci to the 
Galois configuration. For more details, the reader is referred 
to [13]. 

A. Definition of NLFSRs 

A Non-Linear Feedback Shift Register (NLFSR) consist of n 
binary storage elements, called bits. Each bit i 6 {0,1,..., n — 
1} has an associated state variable x,- which represents the 
current value of the bit i and a feedback function f : {0, 1}" — > 
{0, 1} which determines how the value of i is updated. For any 
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i € {0, l,...,n— 1}, fi depends on x^ j+ ^ mod „ and a subset of 
variables from the set {jco,xi, . . . ,.*,■}. 

A state of an NLFSR is an ordered set of values of its state 
variables (xq,xi, . . . ,x n -\). At every clock cycle, the next state 
is determined from the current state by updating the values 
of all bits simultaneously to the values of the corresponding 
fi's. The output of an NLFSR is the value of its 0th bit. The 
period of an NLFSR is the length of the longest cyclic output 
sequence it produces. 

If for all ; <E {0, 1, ...,« — 2} the feedback functions are 
of type fi = Xf+i, we call an NLFSR the Fibonacci type. 
Otherwise, we call an NLFSR the Galois type. 

Two NLFSRs are equivalent if their sets of output sequences 
are equivalent. 

Feedback functions of NLFSRs are usually represented 
using the algebraic normal form. The algebraic normal form 
(ANF) of a Boolean function /: {0, 1}" — > {0, 1} is a polyno- 
mial in GF(2) of type 

2"-l 

f(x ,...,X„-l)= c f x ' X l ■■■■■ X n-V 

i=0 

where c,- £ {0, 1} and (?oii . . ./„-i) is the binary expansion of 
; with ;'o being the least significant bit. Throughout the paper, 
we call a term of the ANF a product-term. 

B. The transformation from the Fibonacci to the Galois con- 
figuration 

Let /, and /,• be feedback functions of bits i and j of an 

n-bit NLFSR, respectively. The operation shifting, denoted by 
p 

f — > fj, moves a set of product-terms P from the ANF of 
f to the ANF of fj. The index of each variable Xk of each 
product-term in P is changed to X/ k _ i+ j\ mo( j „. 

The terminal bit x of an n-bit NLFSR is the bit with the 
maximal index which satisfies the following condition: 

For all bits ; such that ; < x, f is of type /,■ =xi+\. 

An n-bit NLFSR is uniform if the following two condition 
hold: 

(a) all its feedback functions are singular functions of type 

f(xo, . . . ,X n -l) — -*((+l)mo<i n ®gi( x Q, ■ ■ ■ i x n-\), 

where g, does not depend on X/i + u mot i „, 

(b) for all its bits i such that i > x, the index of every variable 
of gt is not larger than x. 

Theorem 1: [13] Given a uniform NLFSR with the terminal 
bit x, a shifting g x — > g T i, x' < x, results in an equivalent NLFSR 
if the transformed NLFSR is uniform as well. 

III. The Relation Between Sequences of States 

Although a Fibonacci NLFSR and a Galois NLFSR can 
generate the same output sequence, they follow different 
sequences of states. Therefore, in order to generate the same 
output sequence, they normally have to be set to different 
initial states. In this section we study the relation between 
sequences of states produced by two equivalent NLFSRs and 



derive a basic property which will be used to prove of the 
main result of the paper. 

Let s = (sq,s\, . . . ,s„_i) be a state of an NLFSR, Sj G {0, 1}. 
Throughout the paper, we use gi(s) to denote the value of the 
function gi evaluated for the vector s. We also use gi\+ m to 
denote the function obtained from the function gi by increasing 
indexes of all variables of gi by m. For example, if g\ =x\ ■ 
JC2 © JC3, then g\ | + 2 = X3 -X4 ©X5. To simplify the exposition, 
we do not list variables of a function explicitly if it does not 
cause any ambiguity, i.e. in the previous example we wrote g\ 
instead of gi(xi,X2,Xj). 

Lemma 1: Let N\ be an n-bit uniform NLFSR with the 
terminal bit x, < x < n — 1, which has the feedback function 
of type 

ft = x (i+ 1 )mod n ffi 8t ffi Pt 

and let N2 be an equivalent uniform NLFSR obtained from Ni 
by shifting from x to x — 1 the set of product-terms represented 
by the function p z . 

If N\ is initialized to a state s = (so, si , . . . and Af? is 

initialized to the state (so , s \ , . . . , s x _ 1 , r x , s z+ \,...,s n -\), where 

r T =s x ©p x |_i(s) (1) 

then they generate sequences of states which differ in the bit 
X only. 

Proof: Suppose that N\ is initialized to a state s = 
(so , s\ , . . . , s„_ 1 ) and Ni is initialized to a state r = (ro, r\ , . . . , 
r n -i), such that r,- = s,- for all i except i = x and r x is given by 
©• 

On one hand, for N\ , the next state is s + = (sq , s ^ , . . . , s j"_ j ) 
such that 

S+_[ =so©g„-i(si,s 2 ,...,s x _i) 

4" = *x+l ®gx(so,Si,. . . ,s x _i) ®/? x (si,s 2 , . . . ,s x ) 
s x-l = s l 

S+ =Sl. 

Note that, since N\ is uniform, the functions g n -i,gn-2, ■ ■ ■ :gx 
may only depend on variables with indexes between to x. 
Furthermore, g n -i,gn-2, ■ ■ ■ ,gx cannot depend on the variable 
Xi, since otherwise N2 would not be uniform after shifting. 
For the same reason, the function p x cannot depend on the 
variable xq. 

On the other hand, for N2, the next state is r + = 
(r^r^...,r+_ x ), where 

r+_j =r ®g n -i(ri,r 2 ,...,r x -{) 

r£=r z+ i ©g x (r ,n,...,r x _i) 
=r x ®/> x |_i(ro,ri,...,r x _i) 

^-2 = r X-l 

4 = n. 
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By substituting r, = s,- for all i except ; = x, we get: 

r+ =s z+ i ®g x (s ,si,... i s x -i) 
r^_ x = r x @ px\-i(so,si, . . . ,s x -i) 

By substituting r x by ([T), we get 

rjll = St©Pt|-i(*0,*1, ■ ■ ■ ,*c-l) ©/>x|-l( s 0,*l, ■ ■ ■ ,*x-l) 
= *x- 

So, the next state of N2 is 

„+ _ „+ 

r n-\ ~ "n-1 

rt =Sx+i®gx(so,si,...,s x -i) 



i.e. the next states of N\ and N2 can potentially differ only the 
bit position x. 

In order to extend this conclusion to a sequence of states, 
it remains to show that the resulting rjf" can be expressed 
according to ([T). From 

st = *X+1 ®gx(sO,Sl,. ■ ■ ,S X -l)®Pz(si,S2, ■■■,S X ) 

we can derive 

5 X+ 1 = s+ ®g z (so,si, . . . ,s x -i)®p x (si,s 2 , ■ ■ .,s x ). 

Substituting it to the expression of r+ above and eliminating 
the double occurrence of gxC-so^i) • • • j*i-i)> we g et 

r t = S x '®p X {si,S2,---,S x ) 

Since p x (si,s 2 , . . . ,s x ) = pt\-i(sg ,sf, . . . jS^), we get 
r? =st®p x \-i(s + ) 

□ 

As an example, consider the following 4-bit NLFSR N\ : 

f2 =X3 ®X\ ®XQX\ 
fl =X2 

fo=xi- 

which has the period 15. Suppose we shift the product term 
x\ from the bit 2 to the bit 1. Then we get the following 
equivalent NLFSR N 2 : 



h 


= xo( 


Bxi 


fi 


= X3 ( 


Bxoxi 


J\ 


= X2i 




fo 


= X\. 





The sequences of states of N\ and N2 are shown in the 1st 
and 2nd columns of Table U The initial states of A^i and N2 
are (s3S2*i*o) = (0001) and (r^riro) = (0101), respectively. 
According to Lemma [Tj we have ro = so, n =*i> r 2 — S2 ®sq, 
and r3 = S3. As we can see, these sequences differ in the bit 
2 only, which is the terminal bit of Ni . 



TABLE I 

Sequences of states of three equivalent 4-bit NLFSRs. 



Galois 


Fibonacci 


NLFSR Ni 


NLFSR N2 


NLFSR 7V3 


X 3 X 2 XlX 


X3X 2 XlXo 


X3X2X1X0 


1 


10 1 


1 


10 


10 


10 


10 


10 


10 


10 


10 


10 10 


110 1 


10 1 


110 1 


1 1 1 u 


1 1 1 n 
1 1 1 u 


110 


10 11 


1111 


10 11 


10 1 


1 


10 1 


10 10 


10 10 


10 


10 1 


110 1 


10 1 


110 


110 


110 


110 


110 


1110 


1111 


10 11 


1111 


111 


11 


111 


11 


111 


11 



The following property follows trivially from Lemma [TJ 
Lemma 2: Let A^i be an «-bit uniform NLFSR with the 

terminal bit x, <X < n— 1, which has the feedback function 

of type 

fx =x (x+l)mod n®8x®Px 

and let N2 be an equivalent uniform NLFSR obtained from N\ 
by shifting from T to T — 1 the set of product-terms represented 
by the function p x . 

If N\ is initialized to a state s = (so, si , . . . ,s n ~i) and Af? is 
initialized to the state (sq,si, ■ ■ ■ ,s x -i,r x ,s x +i, . . . ,s n -i), such 
that 

r x = s x ®p x \-i(s), (2) 

then Ni and N2 generate the same output sequence. 

As an example, consider the sequences of states of NLFSRs 
Ni and Af? shown in the 1st and 2nd columns of Table U Since 
their initial states (0001) and (0101) agree with Lemma [2] iVi 
and N2 generate the same output sequence 100010110100111. 

IV. The Mapping Between Initial States 

This section presents the main result of the paper. 

Theorem 2: Let Nf be an n-bit Fibonacci NLFSR and No 
be an equivalent uniform Galois NLFSR with the terminal bit 
< X < n — 1 and the feedback functions of type 

fn-\ =xo®g„-i 
fn-2 =X„-l ®g„-2 

fz=x x+ \®g x (3) 
/x-i =x x 

fo = X\ . 

If Nf is initialized to a state s = (sq,si,... ,s n -\) and No is 
initialized to the state (so,si, . . . ,s x ,r x+ i ,r x +2, ■ ■ ■ > r n-i) suc h 
that 

n = Si ® gi-l (s) ® gi-2 l+i (s) ® ■ ■ ■ ® g x I +i-x- 1 (i) 

for all i G {n — 1, n — 2, . . . ,X + 1 }, then Nf and Nc generate 
the same output sequence. 
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Proof: From the definition of shifting, we can conclude that 
if, after the transformation, the Galois NLFSR has feedback 
functions of type ([3J, then, the feedback function of the « — 1th 
bit of the original Fibonacci NLFSR is of type: 

f' n -\ =X0®gn-l ®8n-2\+l ©gn-31+2 © ■ ■ ■ ®gx\+n-l-x- 

Any uniform Galois NLFSR can be obtained by first shifting 
all product-terms of the original Fibonacci NLFSR but the 
ones represented by g n -\ from the bit n — 1 to the bit n — 2, 
then shifting all product-terms but the ones represented by 
gn-2 from the bit n — 2 to the bit n — 3, etc., i.e. using a 
sequence of n — 1 — x shiftings by one bit. This means that, at 
each step, the set of product-terms represented by the function 

Pn-l-i = gn-\-i~\\ + \ ® gn-l-i-l\+2 © • ■ ■ ® gx\+n-\-i-x (4) 

is shifted from the bit n — 1 — i to the bit n — 1 — i — 1, 
for i £ {0, 1, ...,« — 1 — T — 1}. Furthermore, for each i G 
{0, 1 ,...,«- 1 - x - 1 }, by Lemma EJ if the NLFSR before 
shifting is initialized to some state s' and the NLFSR after 
shifting is initialized to the state where the bit n—l — i has 
the value s n -i-i ©Pn-i-ii-i(s') and all other bits have the 
same values as the corresponding bits of s', then two NLFSRs 
generate the same output sequence. 

Therefore, we can conclude that if the original Fibonacci 
NLFSR Nf is initialized to the state s = (so, si,... ,s n -i) and 
the NLFSR Nc obtained using the sequence of n — 1 — x 
shiftings by one bit described above is initialized to the state 
(s ,s u . . . ,s z ,r T+l ,r T+2 , . . . ,r n _i) such that 

r j = ®Pj\-i(s) 

for each j £ {n — l,n — 2, . . . ,X + 1} and pj is defined by |@), 
then Nf and Nc generate the same output sequence. 

□ 

Since the functions gn-i,gn-2,---,gx of a uniform Galois 
NLFSR depend on variables with indexes between to x only, 
the following property follows directly from the Theorem [2] 

Lemma 3: Let Nf be an «-bit Fibonacci NLFSR and Nc be 
an equivalent uniform Galois NLFSR with the terminal bit x. 
If both Nf and Nc are initialized to any state (sq,s\ ,s„-i) 
such that Si = for all i € {0, 1, . . . ,x}, then they generate the 
same output sequence. 

As an example, consider the 4-bit Fibonacci NLFSR N3 
with the feedback functions: 

/3 = Xq®X\ ®X2®X\X2 
f2 = X 3 
fi =X2 

fo=xi 

which is equivalent to the Galois NLFSRs N\ and N2 from 
the previous example. The 3rd column of Table U shows the 
sequence of states of /V3. The terminal bits of N\ and N2 are 
2 and 1, respectively. Therefore, is (1000) is used as an initial 
state (2nd row of Table H), all three NLFSRs generate the same 
output sequence 000101101001111. 



V. Conclusion 

In this paper, we establish a relation between sequences of 
states generated by two equivalent NLFSRs and show how to 
compute the initial state for the Galois configuration which 
matches a given initial state of the Fibonacci configuration. 

Many fundamental problems related to NLFSRs remain 
open. Probably the most important one is finding a systematic 
procedure for constructing NLFSRs with a guaranteed long 
period. Available algorithms either consider some special 
cases [15], or applicable to small NLFSRs only [16]. The 
general problem is hard because there seems to be no simple 
algebraic theory supporting it. Specifically, so far no analog 
of a primitive generator polynomial has been found for the 
nonlinear case. 
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